The session runs in Claude Code auto permission mode. Mutations that matched NO permissions rule (e.g. bash scripts/opnsense-api.sh POST ..., editing .claude/settings*.json, invoking a Skill) fell through to the auto-mode classifier, which hard-denied them -- no approval prompt, so the operator could not approve/adjust and had to run them by hand. That is a wall, not a gate.
deny and explicit ask rules are evaluated before the auto-mode classifier (Claude Code auto-mode-config docs). An explicit ask rule therefore FORCES a prompt even in auto mode. So the fix is to ask-list the mutation surfaces; they become approve/deny/adjust prompts instead of classifier hard-denials.
.claude/settings.json, operator-applied)Added to ask (mutations now PROMPT): Bash(*opnsense-api.sh POST *), Bash(*opnsense-plugins.sh apply*), Bash(*tofu apply*), Bash(*tofu destroy*), Bash(*tofu import*), Bash(*tofu state rm*), Bash(*--commit*), Edit(.claude/settings.json), Edit(.claude/settings.local.json). Added to allow (read-only edge queries stay frictionless): Bash(OPNSENSE_API_HOST=* bash scripts/opnsense-api.sh GET *), Bash(bash scripts/opnsense-plugins.sh list*). deny + the PreToolUse guard hook UNCHANGED. Broad *-patterns catch the verb (POST/apply/--commit/tofu-mutations) to reduce future whack-a-mole.
The Edit(.claude/settings*.json) ask rules bootstrap self-service: from now on the agent CAN propose settings edits -- they arrive as prompts the operator approves, instead of being hard-denied (the chicken-and-egg that required this first edit to be operator-applied by hand).
auto + ask (not flipping to default mode)default mode would prompt on ALL non-allow-listed commands including read-only probes (ssh, journalctl, ping, pkg info) -- very noisy for this read-heavy audit work. auto + comprehensive ask keeps reads frictionless and makes mutations prompt: the exact requested behavior.
git revert this commit (restores the prior .claude/settings.json), or cp .claude/settings.json.bak .claude/settings.json (operator's local backup).